Selling a device that would not conform with
certain federal content protection technologies, to be
adopted within 12 months of the bill passing, could raise charges of up to US$500,000 in fines and 5 years in prison.

Some excerpts from the draft presented:

Sec. 101: Prohibition of Certain Devices

(a) In General -- It is unlawful to manufacture, import, offer to the public, provide or otherwise traffic in any interactive digital device that does not include and utilize certified security technologies that adhere to the security system standards adopted under section 104.

Sec. 103: Prohibited Acts

(a) Removal or Alteration of Security -- No person may --

(1) remove or alter any certified security technology in an interactive digital device; or

(2) transmit or make available to the public any copyrighted material or other protected content where the security measure associated with a certified security technology has been removed or altered.

The effects of such a legislation in the field of
personal computing would be, IMHO, its complete
death. In part because there is no way to conceive
a free softwareoperating system to ship with unremovable
content control technologies, without taking away its
freedom, but also, I don't think it's possible for one to be able to program a computer without having the power
to violate such protected content. Thus programing might
just as well be ilegal. At least programing your own
operating system would.

(b) EXCEPTION.--Subsection (a) does not apply to the offer for sale or provision of, or other trafficking in, any previously-owned interactive digital device, if such device was legally manufactured or imported, and sold, prior to the effective date of regulations adopted under section 104 and not subsequently modified in violation of (a) or 103(a).

SEC. 102. PRESERVATION OF THE INTEGRITY OF SECURITY.

An interactive computer service shall store and transmit with integrity any security measure associated with certified security technologies that is used in connection with copyrighted material or other protected content such service transmits or stores.

SEC. 103. PROHIBITED ACTS.

(a) REMOVAL OR ALTERATION OF SECURITY. -- No person may --

(1) remove or alter any certified security technology in an interactive digital device; or

(2) transmit or make available to the public any copyrighted material or other protected content where the security measure associated with a certified security technology has been removed or altered.

(c) AFFIRMATIVE DETERMINATION. -- If the Secretary makes a determination under subsection (b)(1) that an agreement on security system standards that meet the criteria in subsection (a) has been reached by those representatives, then the Secretary shall --

(1) initiate rulemaking within 30 days after the date on which the determination is made to adopt those standards; and

(2) publish a final rule pursuant to that rulemaking not later than 90 days after initiating the rulemaking that will take effect 1 year after its publication.

(d) NEGATIVE DETERMINATION. -- If the Secretary makes a determination under subsection (b)(1) that an agreement on security system standards that meet the criteria in subsection (a) has not been reached by those representatives, then the Secretary --

(1) in consultation with representatives described in subsection (b)(1)(A), the National Institute of Standards and Technology and the Register of Copyrights, shall initiate a rulemaking within 30 days after the date on which the determination is made to adopt security system standards that meet those criteria to provide effective security for copyrighted material and other protected content; and

(2) publish a final rule pursuant to that rulemaking not later than 1 year after initiating the rulemaking that will take effect 1 year after its publication.

(e) MEANS OF IMPLEMENTING STANDARDS. -- The security system standards adopted under subsection (c) or (d) shall provide for secure technical means of implementing directions of copyright owners, for copyrighted material, and rights holders, for other protected content, with regard to the reproduction, performance, display, storage, and transmission such material or content.

(f) SUBSEQUENT MODIFICATION; NEW STANDARDS. -- The Secretary may conduct subsequent rulemakings to modify any standards established under subsection (c) or (d) or to adopt new security system standards that meet the criteria in subsection (a). In conducting any such subsequent rulemaking, the Secretary shall consult with representatives of interactive digital device manufacturers, representatives of copyright owners, the National Institute of Standards and Technology, and the Register of Copyrights. Any final rule published in such a subsequent rulemaking shall --

(2) take into consideration the effect of adoption of the modified or new security system standards on consumers' ability to utilize interactive digital devices manufactured before the modified or new standards take effect.

SEC. 105. CERTIFICATION OF TECHNOLOGIES.

The Secretary shall certify technologies that adhere to the security system standards adopted under section 104. The Secretary shall certify only those conforming technologies that available for licensing on reasonable and nondiscriminatory terms.

(a) IN GENERAL. -- Any person described in section 104(b)(1)(A) may file with the Secretary of Commerce a request for authority for a group of 2 or more such persons to meet and enter into discussions, if the sole purpose of the discussions is to discuss the development of security system standards under section 104. The Secretary shall grant or deny the request within 10 days after it is received.

(b) PROCEDURE. -- The Secretary shall establish procedures within 30 days after the date of enactment of this Act for filing requests for an authorization under subsection (a).

(c) EXEMPTION AUTHORIZED. -- When the Secretary finds that it is required by the public interest, the Secretary shall exempt a person participating
in a meeting or discussion described in subsection (a) from the antitrust laws to the extent necessary to allow the person to proceed with the activities
approved in the order.

(d) ANTITRUST LAWS DEFINED. -- In this section, the term "antitrust laws"
has the meaning given that term in the the first section of the Clayton Act (15 U.S.C. 12).

SEC. 108. ENFORCEMENT.

The provisions of section 1203 and 1204 of title 17, United States Code,
shall apply to any violation of this title as if --

(1) a violation of section 101 or 103(a)(1) of this Act were a violation
of section 1201 of title 17, United States Code; and

(2) a violation of section 102 or section 103(a)(2) of this Act were a violation
of section 1202 of that title.

SEC. 109. DEFINITIONS.

In this title:

(1) CERTIFIED SECURITY TECHNOLOGY. -- The term "certified security technology"
means a security technology certified by the Secretary of Commerce under
section 105.

(2) INTERACTIVE COMPUTER SERVICE. -- The term "interactive computer service"
has the meaning given that term in section 230(f) of the Communications Act
of 1934 (47 U.S.C. 230(f)).

(4) SECRETARY. -- The term "Secretary" means the Secretary of Commerce.

SEC. 110. EFFECTIVE DATE.

This Act shall take effect on the date of enactment of this Act, except that
sections 101, 102, and 103 shall take effect on the day on which the final
rule published under section 104(c) or (d) takes effect.

(6) The Nation's information infrastructures are owned, for the most part,
by the private sector, and partnerships and cooperation will be needed for
the security of these infrastructures.

(7) There is little financial incentive for private companies to enhance
the security of the Internet and other infrastructures as a whole. The Federal
government will need to make investments in this area to address issues and
concerns not addressed by the private sector.

(b) PURPOSES. -- The purpose of the Council is to collect and share information
about, and to increase public awareness of, information security practices
and programs, threats to information security, and responses to those threats.

(c) STUDY. -- Within 12 months after the date of enactment of the Act, the
Council shall publish a report which evaluates and describes areas of computer
security research and development that are not adequately developed or funded.

SEC. 203. RESEARCH AND DEVELOPMENT.

Section 20 of the National Institute of Standards and Technology Act (15
U.S.C. 278g-3) is amended --

(1) by redesignating subsections (c) and (d) as subsections (d) and (e)
respectively; and

(2) by inserting after subsection (b) the following:

"(c) RESEARCH AND DEVELOPMENT OF PROTECTION TECHNOLOGIES. --

"(1) IN GENERAL. -- The Institute shall establish a program at the National
Institute of Standards and Technology to conduct, or to fund the conduct
of, research and development of technology and techniques to provide security
for advanced communications and computing systems and networks including
the Next Generation Internet, the underlying structure of the Internet, and
networked computers.

"(2) PURPOSE. -- A purpose of the program established under paragraph (1)
is to address issues or problems that are not addressed by market-driven,
private-sector information security research. This may include research --

"(A) to identify Internet security problems which are not adequately addressed
by current security technologies;

"(C) to enhance the security and reliability of the underlying Internet
infrastructure while minimizing other operational impacts such as speed;
and

"(D) to allow networks to become self-healing and provide for better analysis
of the state of Internet and infrastructure operations and security.

"(3) MATCHING GRANTS. -- A grant awarded by the Institute under the program
established under paragraph (1) to a commercial enterprise may not exceed
50 percent of the cost of the project to be funded by the grant.

"(4) AUTHORIZATION OF APPROPRIATIONS. -- There are authorized to be appropriated
to the Institute to carry out this subsection --

"(A) $50,000,000 for fiscal year 2001;

"(B) $60,000,000 for fiscal year 2002;

"(C) $70,000,000 for fiscal year 2003;

"(D) $80,000,000 for fiscal year 2004;

"(E) $90,000,000 for fiscal year 2005; and

"(F) $100,000,000 for fiscal year 2006."

SEC. 204. COMPUTER SECURITY TRAINING PROGRAMS.

(a) IN GENERAL. -- The Secretary of Commerce, in consultation with appropriate
Federal agencies, shall establish a program to support the training of
individuals in computer security, Internet security, and related fields at
institutions of higher education located in the United States.

(b) SUPPORT AUTHORIZED. -- Under the program established under subsection
(a), the Secretary may provide scholarships, loans, and other forms of financial aid to students at institutions of higher education. The Secretary shall require a recipient of a scholarship under this program to provide a reasonable period of service as an employee of the United States government after graduation as a condition of the scholarship, and may authorize full or partial forgiveness of indebtedness for loans made under this program in exchange for periods
of employment by the United States government.

(c) AUTHORIZATION OF APPROPRIATIONS. -- There are authorized to be appropriated
to the Secretary such sums as may be necessary to carry out this subsection
--

(A) $15,000,000 for fiscal year 2001;

(B) $17,000,000 for fiscal year 2002;

(C) $20,000,000 for fiscal year 2003;

(D) $25,000,000 for fiscal year 2004;

(E) $30,000,000 for fiscal year 2005; and

(F) $35,000,000 for fiscal year 2006.

SEC. 205. GOVERNMENT INFORMATION SECURITY STANDARDS.

(a) IN GENERAL. -- Section 20(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3(b)) is amended --

(1) by striking "and" after the semicolon in paragraph (4);

(2) redesignating paragraph (5) as paragraph (6); and

(3) by inserting after paragraph (4) the following:

"(5) to provide guidance and assistance to Federal agencies in the protection of interconnected computer systems and to coordinate Federal response efforts related to unauthorized access to Federal computer systems; and".

(2) by striking the period at the end of paragraph (2) and inserting in lieu
thereof "; and"; and

(3) by adding at the end the following new paragraph:

"(3) to include emphasis on protecting the availability of Federal electronic
citizen services and protecting sensitive information in Federal databases
and Federal computer sites that are accessible through public networks.".

(1) by redesignating subsections (d) and (e) as subsections (e) and (f)
respectively; and

(2) by inserting after subsection (c), the following:

"(d) AWARD PROGRAM. -- The Institute may establish a program for the recognition
of excellence in Federal computer system security practices, including the
development of a goal, symbol, mark, or logo that could be displayed on the
website maintained by the operator of such a system recognized under the
program. In order to be recognized under the program, the operator --

"(1) shall have implemented exemplary processes for the protection of its
systems and the information stored on that system;

"(2) shall have met any standard established under subsection (a);

"(3) shall have a process in place for updating the system security procedures;
and

"(4) shall meet other criteria as the Institute may require.".

SEC. 207. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.

Section 20 of the the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3), as amended by section 206, is further amended --

(1) by redesignating subsections (f) as subsection (g); and

(2) by inserting after subsection (e), the following:

"(f) DEVELOPMENT OF INTERNET PRIVACY PROGRAM. -- The Institute shall encourage
and support the development of one or more computer programs, protocols,
or other software, such as the World Wide Web Consortium's P3P program, capable
of being installed on computers, or computer networks, with Internet access
that would reflect the users preferences for protecting personally-identifiable
or other sensitive, privacy-related information, and automatically execute
the program, once activated, without requiring user intervention.".